PA installs - the missing details

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA installs - the missing details

L1 Bithead

Hello all,

since I'm just getting to grips with the support processes here apologies if I've missed a nice handy guide anywhere about this.  My various questions don't seem to be covered in the Tech Notes though.

I'm installing some Palo Altos in to an existing network with multiple security elements.  I'm missing some of the critical configuration parameters that will allow the PAs to do their work through other security devices.  I know others have solved these questions because they have PAs working so hopefully somebody can share the answers here Smiley Happy

1) Software Updates

The PAs look for their updates at

I need this traffic to go through a proxy (bluecoat on port 8080).  It is going to be added as an unathenticated traffic rule and therefore tied down to where it can get to and which protocols are permitted.  Potentially as an alternative there will be some L3 firewalls that block/permit traffic based on IPs and Ports.

Can anybody tell me what protocols / ports are used by the PAs to get their software updates?  I'm assuming it's over https but assumptions are never a comfortable thing to have.  Also what IPs are (at least at the moment) going to be seen used for update traffic?

2) Threat DB Updates

Same questions as for 1), I'm guessing the answer will be identical as well but if it is different the details would be nice to know.

3) Bright Could URL DB

Same questions as for 1) again.

The reasons I ask all this is because in theory the network is configured so that it should work but it isn't.

The PAs have traffic permitted from the Management interface to the L3 Proxy IP on port 8080.

The PAs are configured to use a proxy with an IP address equal to the load balanced IP of the proxies.  (Both the LB VIP and the physical proxy IPs are on different subnets from the management IPs so it shouldn't matter whether there's a source NAT or not, the proxy VIP is known to be working)

The proxy is configured to permit the PAs to connect to the Internet without authentication but they are resticted to only (brightcloud will be added later once basic updates are working).

The proxies do a source IP NAT and their traffic is permitted out to the Internet.

And yet when I go to Device > Dynamic Updates it pauses for a bit then "Failed to get response from device server.  Please try again later.".  I can't analyse the details from the PA because I can't do packet captures on the management interface.

The BCs are managed by a separate ops centre and I have no way of directly verifying their config.  The firewalls and load balancers are managed by yet another group of people and appear to be set up correctly.  I'm currently therefore assuming that I have provided bad/incomplete requirements to them at some point.

Anybody able to confirm my assumptions on ports / protocols please?  Provide any IP details beyond the IP that is resolved for a DNS lookup of  Additional troubleshooting options / CLI commands that would be handy in narrowing down what is going on?


L5 Sessionator

The is a content delivery network which currently resolves to The requests are typically made over port 443(ssl) which include application, threats and antivirus updates. As for the Bright Cloud updates, they are now using dynamic ip addresses. The device will first connect to on port 80 and checks for updates. If there are updates available, it will connect to on 443 to download the database.

You can verify the ip addresses for url updates through CLI:

> less mp-log pan_bc_download.log

For update server:

> less mp-log ms.log

Hope that helps.

L4 Transporter

Andy.2.Gardner wrote:

The proxy is configured to permit the PAs to connect to the Internet without authentication but they are resticted to only (brightcloud will be added later once basic updates are working).

The proxies do a source IP NAT and their traffic is permitted out to the Internet.

If your proxy requires authentication, why not just configure an account which has global access for the PAN device to use, and assign the username and password in the firewall setup?

I've successfully done this through a Bluecoat (and Websense) proxy in the past - then you just monitor the traffic going through on the userID on the Bluecoat and tighten your web access policy appropriately.

Personally, I'd be pushing to dump the Bluecoat completely, but that's just me - the Palo Alto's do a better job of classifying and restricting access that the Bluecoat does anyway.

L1 Bithead

Thanks for the responses.  Following some further investigations by the support team it turns out that there were some firewall rules missing despite early attempts at clarifications.

  • 3 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!